  |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
                        |
 |
This paper is aimed at facilitating firewall purchasing decisions. It contains factual information from various independent sources and vendors. This document proposes a comparison of the best leading firewalls as opposed to a thorough analysis of all existing firewalls. It therefore only highlights the relevant differences among those top products without listing all supported features. In this analysis, the firewalls under the light (or under fire) are: AltaVista Firewall, CheckPoint Firewall/1, CyberGuard, Raptor Eagle, Secure Computing SideWinder, TIS Gauntlet.
The selection of these firewalls is based on several factors. First, they all have been evaluated in recent reviews conducted by magazines such as BackOffice, VARbusiness, NetworkWorld and DataCommunications. They are also dedicated application gateway firewalls as opposed to mere extension of routers or easily spoofable packet filter solutions. This means that they provide support for application layer information and content screen for maximum security.
These six application gateway firewalls support most proxies such as telnet, ftp, SQL*net, http, RealAudio, generic udp and tcp. They are designed to scale up to enterprise computing with DMZ configurations using high-speed adapters. They also support strong management including alarming, advanced notification and remote administration.
This analysis is based upon six criteria.
Security is obviously the key attribute in a firewall selection. All these firewalls are very much at-par regarding critical security features. As an example, in the specific case of denial of services attacks, these six products take appropriate actions against ping of death, SYN flooding, filing log and disk. Below are highlighted some key differences in screening, logging, vulnerability risks and active alarming.
Screening content filters traffic with fine granularity for maximum security, yet allows specific applications to traverse the firewall.
AltaVista Firewall 97 CheckPoint Firewall-1 V3.0 Raptor Eagle V4.0 CyberGuard V3.0 Secure Comp. SideWinderV3 TIS Gauntlet 3.2 Content Screening X X X X X X Java blocking X X X O O X ActiveX blocking O X O O O X Integrated virus scanning O X O O O X
Logging capabilities are essential to detect and take actions upon key events. All firewalls are able to detect most common attacks, only few are able to detect transfer of sensitive files containing passwords or download of entire directory trees. Even fewer are able to notify system administrators of such threats in the middle of the night.
Performance is a key criteria to make sure that the firewall can maintain maximum security, handle the load and keep on going. MIS managers want a product that is compatible with their needs for either an Internet firewall with ISDN to T3 WAN connections or for an Intranet configuration with fast ethernet or even ATM links. They also want a product that can scale without headaches. Below are 2 charts that characterizes firewall performances on both UNIX and NT.
UNIX benchmarks can stress high-end firewalls. This testing is however not an apple-to-apple comparison since various hardware platforms are used for testing. The following chart is from DataCommunications 3/21/97. It shows in decreasing priority order: AltaVista, CheckPoint, CyberGuard, Raptor, TIS and Secure Computing.
This NT benchmark compared the leading firewalls on the same platform. This test is also very representative of the robutness and level of integration with NT. This test matrix only shows proxy level implementations to be consistent with the above security comparison.
Firewall management is mostly aimed at reinforcing security by avoiding mis-configurations, detecting any threats, raising appropriate alarms and finally, notifying system administrators or taking actions on their behalf. As a result, firewalls must be easy to configure and administer. Another firewall important characteristic is the ability to manage the firewall(s) from a centralized location, either from the intranet or from an un-trusted network. All firewalls being evaluated in this paper offer those features. The following charts compare the quality and sophistication level of their implementations.
Following are the actions and notification mechanisms that MIS managers may want the firewall to trigger upon specific network events.
AltaVista Firewall 97 CheckPoint Firewall-1 V3 Raptor Eagle V4.0 CyberGuard V3.0 Secure Comp SideWinder V3 TIS Gauntlet V3.2 Tiered Alarming X O O O O O Mail X X X X X X SNMP trap X X X X X O Paging X X X X X X Shutdown services X O O O O O Shutdown firewall X O O O O O
The architecture required to ensure reliability is sometimes considered overkill. However, in some configurations, unpredictable down-time is not an option and this overkill feature becomes a necessity. Scalability is also important for any company concerned about future growth.
AltaVista Firewall 97 CheckPoint Firewall-1 V3 Raptor Eagle V4.0 CyberGuardV3.0 SecureComp .Sidewinder V3 TIS Gauntlet 3.2 Windows NT X X X O X (just introduced) X Standard UNIX X X X O O X
Version upgrades and maintenance services are very much comparable among these six vendors. The bottom line becomes the price.
AltaVista Firewall 97 CheckPoint Firewall-1 V3 Raptor Eagle V4.0 CyberGuard V3.0 Secure Comp. SideWinderV3 TIS Gauntlet V3.2 25 (future) $2,995 - - $3,000 (BSD) (+4K for DMZ) - 50 $3,995 $4,995 $6,500 (NT) $7,000(Unix) $9,995 $7,000 (BSD) (+4K for DMZ) $11,500(Unix) $5,000 (NT) 100 - $7,995 - - - - 200 $7,995 - $11,000 (NT) $15,000 (Unix) - - - 250 - $9,995 - $14,995 - $11,500 (Unix) $11,500 (NT) Unltd $14,995 $18,990 $15,000 (NT) $25,000 (Unix) $19,995 $7,000 (BSD) (+4K for DMZ) $11,500 (Unix)
According to this impressive independent analysis, why didn't AltaVista Firewall obtain the DataComm Tester's Choice award? The answer is simply: bad timing. Only an early V3.0 beta version has been tested and not all the new great features such as DMZ support were fully tested at the time of the evaluation. DataCommunication stated: "except for being limited to two interfaces, the AltaVista Firewall 97 is one of the strongest entries in this test." AltaVista's "honorable mention" or 5th place would have turned into this award if the evaluation had taken place one month later...
The AltaVista Firewall lacks some screening capabilities such as ActiveX blocking and integrated virus scanning. The NT version lacks few sophisticated features that the UNIX version currently supports. This will be solved in the next release.
The AltaVista Firewall offers the lowest risk to attack vulnerability and provides one of the richest logging capabilities including specific notifications.
AltaVista is by far the fastest firewall in the marketplace with no compromise on security. This demonstrates not only the high efficiency of the AltaVista implementation but also its very tied integration with the NT operating system.
It "shines in ease of management" (DataComm 3/21/97) "It is the easiest firewall to control and configure" (NetworkWorld 2/3/97.) AltaVista also leads in management features with the most advanced reporting and alarming features, consistently with its active firewall message.
Overall, AltaVista offers excellent Security and best-in-class Performance and Management features. This is supported by a very robust and reliable implementation. The only ambiguity in this very attractive proposition: the price... So low, it surprisingly does not match the strong value of this offering. AltaVista has indeed decided on a volume strategy that works: According to VARbusiness (3/1/97), AltaVista Firewall is indeed the most improved and best selling Internet firewall!
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
